According to vpnMentor, cybersecurity researcher Jeremiah Fowler discovered an unprotected online database containing more than 3.5 million records.
The database, believed to be associated with Brisbane-based fashion retailer SABO, was found to be accessible without encryption or password protection.
The exposed documents included invoices, shipping records, and return information, with personally identifiable data such as names, physical and email addresses, and phone numbers.
The records, stored in PDF format, covered transactions from 2015 to 2025 and appeared to be part of an internal system for managing sales and logistics.
Some files contained multiple customer orders, indicating that the number of affected individuals could exceed the total number of documents.
Upon notification, SABO restricted access to the database within hours, although the company did not respond to the disclosure.
It remains unclear whether the database was managed internally or by an external provider, and the duration of the exposure has not been confirmed.
The exposure of customer and transaction data presents several risks for both individuals and organisations.
vpnMentor said that detailed order histories and contact information can be used to facilitate targeted phishing and social engineering campaigns.
Attackers with access to this information may craft convincing messages that appear legitimate, increasing the likelihood of successful fraud attempts.
Email remains a primary vector for cyberattacks, with phishing and malware distribution accounting for a significant portion of incidents.
The use of advanced writing tools has made fraudulent emails more difficult to detect.
vpnMentor said the incident also highlights the risk of “brushing scams,” where criminals use leaked personal data to send unsolicited goods and post fake reviews.
Recent industry reports reflect the growing concern over cyber risk.
Beazley’s 2025 Risk & Resilience report found that 29% of global executives now identify cyber risk as their top concern, up from 26% the previous year.
Despite this, 83% of respondents expressed confidence in their ability to manage cyber threats, although the report suggests this may not fully reflect the complexity of the current threat landscape.
Aon’s 2025 Cyber Risk Report examined the financial impact of cyber events that result in reputational damage.
The analysis found that companies experiencing such incidents saw an average 27% decline in shareholder value.
Malware and ransomware were identified as the most common types of attacks leading to reputational impact.
While cyber insurance can cover certain direct losses, reputational harm is generally excluded from standard policies.
Organisations with integrated cyber risk management strategies, including crisis and communications planning, are better positioned to recover from incidents and reduce long-term effects.
